CVE-2022-40488

CVE-2022-40488 affects ProcessWire v3.0.200 and is described as a Cross-Site Request Forgery (CSRF) vulnerability. Several connected sources (Red Hat, GHSA, OSV, CVE listings, CNNVD) consistently state CSRF presence. Some entries reference the root cause as insufficient CSRF validation (e.g., a l...

CVE-2022-40487

CVE-2022-40487 : ProcessWire v3.0.200 is affected by multiple cross-site scripting (XSS) vulnerabilities in the Search Users and Search Pages functions, allowing an attacker to inject arbitrary web scripts or HTML through crafted payloads. This is documented across multiple sources (Red Hat, Vera...

CVE-2020-27467

Processwire CMS prior to version 2.7.1 is vulnerable to a local file inclusion via the download parameter in index.php. Affected component: index.php handling in Processwire <2.7.1. Root cause: directory traversal/LFI flaw enabling retrieval of sensitive files. Impact: per Nuclei template, att...

CVE-2023-24676

ProcessWire 3.0.210 is affected by a vulnerable download_zip_url parameter used when installing a new module, which can allow arbitrary code execution and a reverse shell. The Red Hat, Veracode, OSV, and related entries concur with the core issue; exploitation is described as requiring admin priv...

CVE-2024-41597

ProcessWire v3.0.229 is vulnerable to Cross-Site Request Forgery via its comments functionality, allowing a remote attacker to execute arbitrary code through a crafted HTML file. The connected PT-Security entry recommends updating to a newer version that includes a fix. No exploit details are pro...

CVE-2025-60790

CVE-2025-60790 affects ProcessWire CMS 3.0.246. A low-privileged user with lang-edit can upload a crafted ZIP via Language Support, which is auto-extracted without limits before validation, causing resource-exhaustion and a Denial of Service. The issue is documented across multiple feeds (NVD, Re...